The SPICE project is working to eliminate vulnerabilities triggered by a variety of low-level errors in stripped x86 binaries. As part of this project we are developing on a combined dynamic and static type inference system. This system analyzes reads and writes to infer how the application structures the flat x86/x64 address space. It uses this information to preserve the integrity of the execution. For example, SPICE is designed to neutralize attacks that attempt to exploit buffer overflow vulnerabilities within allocation units. SPICE uses a configurable security policy to modify the execution to eliminate the vulnerability and enable continued safe execution.
The SPICE project is also developing a precise taint tracing system. This system combines static and dynamic analysis to minimize overhead. The taint information enables SPICE to detect the unsafe direct use of untrusted input fields at vulnerability sites such as SQL and command invocation sites and memory allocation sites. SPICE also tracks memory allocation information to eliminate buffer overflow attacks.